OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: X.509v1 Certificate Support in 1.0 Errata


The current errata [1] line 211 and [2] sections 3.3 thru 3.7 implement changes intended to allow X.509v1 certificates to be used with WSS 1.0. The changes as described in the errata are not backward compatible with the WSS 1.0 standard. This has resulted in confusion and interoperability problems since some vendors are implementing according to the errata and others are implementing according to the WSS 1.0 standard.

I suggest we revisit the errata to allow use of X.509v1 certificates while retaining backwards compatibility with the WSS 1.0 standard. My preferred alternative would be to rollback the change of the URI from "...#X509v3" to "...#X509", rollback the change of the URI from "...#X509SubjectKeyIdentifier" to "...#X509v3SubjectKeyIdentifier", and add a URI for "...#X509v1". Specific changes would be:

Revise [1] as follows:

1) replace the 3rd row of the table on line 211 containing:
        #X509 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509
with two rows containing:
        #X509v1 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v1
        #X509v3 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3

Revise [2] as follows:

2) change section 3.3 deleting line 82 and changing line 83 to:
        Insert a new first cell at line 172 containing:
        Single certificate #X509v1 An X.509 v1 signature-verification certificate.

3) remove section 3.6

4) remove section 3.7

A less attractive (to me) alternative to the "...#X509v1" URI described in #1 would be to add a statement to the errata that makes it clear that you may include an X.509v1 certificate when the URI states "...#X509v3". The reason I find this less attractive is that it changes the expected behavior of the existing URI. By adding a new URI we allow implementations to support X.509v1 while allowing those that chose not to to correctly function without change.

Thanks,
Mike

[1] Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) Errata 1.0 Committee Draft 200401, October 2004
http://www.oasis-open.org/committees/download.php/11146/oasis-200401-wss-soap-message-security-1.0-errata-004.pdf

[2] Web Services Security: X.509 Token Profile 1.0 Errata 1.0 Committee Draft 200401, October 2004
http://www.oasis-open.org/committees/download.php/11145/oasis-200401-x509-token-profile-1.0-errata-004.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]